Commissioner Jourová's intervention at the event "The General Data Protection Regulation one year on: Taking stock in the EU and beyond"
Ladies and gentlemen,
I am very happy to welcome you to this event, marking one year since the EU General Data Protection Regulation (known under my most beloved abbreviation GDPR) began to apply.
The main purpose is to help us assessing how the GDPR has been working so far. I would like to have an honest and objective assessment, especially on the three questions that the panellists will try to answer throughout the day.
So, I would like to understand where we are on the consistent application and interpretation of the GDPR. I would like to assess what’s the impact of the GDPR on innovation and entrepreneurship in Europe and finally I would want to understand if and how the people are using their new rights.
I also count on this event to help me set up a list of priorities until the very last day of my mandate. I have some ideas I will share shortly, but as I often said, the GDPR is a teamwork and we will only succeed if we work together.
With the input from this conference I am planning to issue a report, or as we call it, a Commission Communication on GDPR – state of play one year after still before the summer.
This will be important input for the next Commissioner who will have to start working on the 2020 review and also review the various existing adequacy decisions.
I expect this to be a pragmatic working event. But allow me for a brief moment to turn a bit more philosophical. I think it helps us to understand where we are coming from. On a daily basis, we usually get bogged down in detail, analysing the meaning of ‘risks’ or arguing about the interpretation what ‘accountability’ means. We look with despair at news or new announcements from data-hungry platforms.
But in fact the concept of privacy developed from broader struggle for liberty and democracy. Without privacy, there is no space where we are free to think, develop our own ideas, experiment and pursue our life as we deem fit.
This is how the country I grew up in used to work – the communist Czechoslovakia.
One of my favourite authors, Milan Kundera once wrote, “Private and public are two essentially different worlds and respect for that difference is the indispensable condition, the sine qua non, for a man to live free”.
And I think in democracies we found the right balance. But as our future lives look to be closer to the digital and online sphere than ever, I fear we are again losing that balance.
Our understanding and application of simple concepts, like illegal speech or even respect for human rights, are challenged by the online realm.
This is why the EU adopted the new data protection law: to adapt our rules to the digital reality of today and the future.
OK, let’s come back now to more pragmatic things.
In general I see GDPR still as a baby that is growing fast and is doing well. But we need to continue to nurture it well.
With the GDPR we also raised a number of expectations and we made certain promises. Let me assess briefly some of them.
First, the promise of uniform application of the GDPR across the EU, the game changer compared to the dispersed 28 national regimes under the previous directive.
Here the EU governments are the first in charge. They have to adjust their domestic law. Most of the governments did their job, but still three are lagging behind. Greece, Portugal and Slovenia need to act urgently.
The job of the Commission is to assess if the governments did this right. We are in the process of assessing all the details of the national laws, but I want to use today’s event to pass clear messages:
We must avoid fragmentation and temptation for adding additional conditions or expansive interpretation for the GDPR. The Commission will not tolerate the so-called ‘gold plating’.
Some Member States, especially those with federal structures, need to ensure that the regional levels are also doing their share of the work. Here, dear German government, I am counting on your actions
The second promise we made was the creation of European enforcement culture on privacy.
The GDPR gave powers to EU data protection authorities to enforce GDPR and sanction the violations. One year on, the newly established governance structure with the European Data Protection Board has registered more than 470 cross-border cases around Europe and is working well together to solve them. The fears that they will become sanctioning machines have not materialised. On the contrary, they see themselves as partners for dialogue with business and other stakeholders.
National data protection authorities are the key for GDPR success that is why they need adequate resources. The situation is better than even 1 year ago but there are stark contrasts between Member States.
Reaching out to stakeholders and in particular smaller firms is something I think should continue. This is why the Commission is providing financial support to national data protection authorities in this respect with so far three million euros.
And I would urge not to judge the success of the GDPR by the amount of fines. The fines will come, when the breaches will be established, but I am glad that the DPAs are taking a thorough approach to their often-complex investigations. This is not a race, and quality is more important than speed also because DPAs will often have to defend those fines in court.
But the robust enforcement is coming: from the 5000 euros to a sport betting cafe for unlawful video surveillance to the 50 million euros fine to Google in a case concerning the conditions under which consent was obtained for certain processing of data.
Another promise we made was a boost for privacy-friendly innovation and a promise of opportunities rather than only costs.
What I hear and read is that companies have made considerable efforts to adjust to the new rules. But, I also hear that companies used this as an opportunity to put their “data house” in order by taking a closer look at how they process it.
We see more and more links between data management and companies’ finances. For instance, a recent Cisco study shows that complying with GDPR helped companies to be better prepared for security breaches and lower its financial impact. These things matter in the real world, beyond legal requirements: Let me just mention the recent Moody’s downgrade of Equifax following a data security incident.
Actually, to a large extent, our experience with the application of the GDPR is that it has showed what data protection is really about – that is, “simply” sound data management.
It is mainly about having a culture of responsible use of data, putting in place operational rules for those at all levels dealing with data and ensuring appropriate data security.
What we also see is that data protection is increasingly a selling point, a strategic driver for business, as more and more users value the privacy and security of their data. For instance, we are observing on the market place the offer of innovative products and services with novel privacy or security solutions.
Many companies say now that privacy is increasingly becoming a competitive differentiator in their markets.
The last promise I want to mention is about the citizens. We promised to give them more tools to control their personal data. Today, we are publishing the new survey about the GDPR. The results show that more than two-thirds of citizens today have heard of the GDPR! 70% of respondents have heard of at least one of their rights.
But still too many people don’t fully know their rights, too many people don’t use the possibility to change their privacy settings. That is why we are launching today a campaign to encourage citizens to optimise their privacy settings.
Also the new ways of enforcing personal data start to be used. NGOs active in the field of data protection have started making use of the possibility to bring representative actions before data protection authorities and courts.
In this respect, I am very interested in the discussions during today’s third panel: ‘How do individuals use their new rights?’
This brings me to the last point I wanted to mention: global convergence.
Ladies and gentlemen,
Data protection is not just a European matter. Privacy is an increasingly global issue. And we should stop to think of it as a domestic or regional one.
In a world where social networks produces massive volumes of user-generated data, where cloud computing and artificial intelligence base their services on data flowing freely across countries, the intrinsic importance of personal data has never before been so clear.
Europe and other countries around the world want to seize the incredible opportunities that the digital transformation of our economies and societies offer. And in doing so, we face similar challenges.
Now we see new legislation adopted and hear calls around the globe for comprehensive data protection rules similar to the GDPR – from Chile to Japan, from Brazil to India, from Argentina to Indonesia, and from Tunisia to Kenya.
Countries around the world are applying rules with very similar features: an overarching privacy law, with a core set of safeguards and rights, and enforced by an independent supervisory authority.
And at multilateral level, the Council of Europe’s Convention 108 – the only binding international agreement on data protection – is increasingly becoming a universal instrument.
It shows that more and more countries are recognising the importance of protecting privacy, for individuals, and for society as a whole. This is also seen in the G20 context which put the concept of “data free flow with trust” at the centre of its agenda.
Many companies have well understood this. Only a few years ago, it would have been hard to believe that businesses would call on governments and regulators to establish comprehensive data protection rules around the world.
I am convinced that this type of convergence, based on strong laws and robust enforcement, can ensure the sustainability of our increasingly data-driven world and facilitate data flows and related trade.
The recent mutual adequacy arrangement we put in place early this year between the EU and Japan, creating the world’s largest area of free and safe data flows shows how strong data protection standards and trade can go hand in hand.
I look forward to intensify our cooperation and work with Japan to promote strong data protection standards with other partners. In this regard, we are engaged in discussions on the “Data Free Flow with Trust” initiative launched by Prime Minister Shinzō Abe.
At the same time, we are pursuing further adequacy talks with third countries. Some seem to be reaching maturity in this regard. For instance, talks with South Korea are at an advanced stage.. While we continue those efforts, we can now take full advantage of the additional tools provided under the GDPR to enable international data transfers based on strong and enforceable safeguards: from standard contractual clauses to certification and codes of conduct.
I plan to be busy with the GDPR until the very last day of my mandate. I have three main priorities.
One, I will watch for uniform application and implementation of the rules in Member States – we have to ensure that our promise of one continent; one law will be fulfilled.
Second, I will continue supporting efficient and pragmatic enforcement by the European Data Protection Board. For that we need to create the European culture of privacy among data protection authorities. In the first year the Board made progress, but I want to continue to play a part in this process.
Third, I want to help businesses, especially smaller firms, to comply. And here the innovative tools of the GDPR such as standard contractual clauses, certification or code of conducts can be important as they can reduce compliance cost and even create safe havens.
We are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.
Certifications would help companies to gain necessary certainty that the processing operations they do are GDPR compliant. It will also further promote the GDPR globally. I’d be interested to know if we should step up our work here, because to me it seems this could help.
Finally, the codes of conducts didn’t yet fully take off. I know very few are already in place and that some sectors are working on it, but I hope we will see a better use of this tool.
As Commission we are ready to facilitate this process but, given that we are talking of bottom-up tools, the initiative should come first from the industry itself which is best positioned to identify specific sectoral needs. This also would help to ensure more certainty and develop future proof solutions.
Fourth, I will continue to encourage citizens to make best use of their privacy rights.
Ladies and Gentlemen,
I will stop here and allow our panellists to step in.
I am looking forward to your discussions.
I want to thank everyone who came here today and for your feedback. I also want to thank our multistakeholder group and the Fundamental Rights Agency for gathering feedback among their members and preparing reports.
Thank you for your attention and I wish you a very good conference.